25 January, 2016
One of the biggest news for the Asia-Pacific (“APAC”) in 2015 would have to be the Trans-Pacific Partnership (“TPP”), which is the largest regional free trade agreement to date, reached between 12 countries from both sides of the Pacific (Australia, Brunei Darussalam, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, United States and Vietnam) that represent 40% of global GDP.
TPP ON PERSONAL DATA IN THE DIGITAL ECONOMY
Having taken more than five years to fully conceive, the TPP is focused on increasing open trade and regional integration in APAC. Apart from offering new market access and investment opportunities, a striking feature about the TPP is a dedicated Chapter 14 on provisions for electronic commerce, which manifests the collective interest of the 12 member countries to ensure freedom of cross-border data and information flows that is the pulse of the digital economy, with a commitment to protect personal data.
PROTECTION OF PERSONAL INFORMATION
The bedrock provision on the protection of personal data would be Article 14.8, where each member country will be required to “
adopt or maintain a legal framework that provides for the protection of personal information of the users of electronic commerce”, and member countries should “endeavour” to develop mechanisms and suitable arrangements “ to promote compatibility between different regimes”.
The TPP has defined “personal information” in Article 14.1 broadly to mean “ any information, including data, about an identified or identifiable natural person”, which is similar to the position in the European Union.
With the exception of Brunei and Vietnam which are in the process of implementing their respective legal frameworks for the protection of personal data, the other member countries already have established laws that address personal data protection and cross border data transfers in one way or another.
CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
Where cross-border data transfers are concerned, Article 14.11, while recognising that each member country would have its own regulatory requirements concerning the transfer of information (by electronic means), obliges each member country to “ allow the cross-border ransfer of information by electronic means, including personal information, when this activity is for the conduct of the business…”. Notably, “conduct of the business” has been left undefined, so this requirement could conceivably cover all manner of business whether for a commercial or non-commercial purpose.
FREEDOM OF DATA AND INFORMATION FLOWS
Information that fuels the digital economy, including personal data, will inevitably involve the use of computing technology residing physically in a territory. To prevent localisation of “computer servers and storage devices for processing or storing information for commercial use”, Article 14.13 ensures that no member country shall require companies “ to use or locate computing facilities in that [member country’s] territory as a condition for conducting business in that territory”.
CYBER SECURITY
In light of the growing cyber threat landscape that could disrupt the digital economy, Article 14.16 recognises the importance of capability building at the domestic level for computer security incident response, and also collaboration in terms of identifying and mitigating malicious intrusions or dissemination of malicious code that affect the electronic networks of member countries.
HOW THE DATA PROTECTION PROVISIONS OF THE TPP WILL AFFECT BUSINESSES
The opportunity that the TPP presents, is the potential for member countries to harmonize their personal data protection laws APAC-wide to reduce the cost of compliance and the cost of operations across a patchwork of national data protection laws, for collecting or processing personal data in member countries, and/or cross-border transfers of personal data between member countries.
We could see a more uniformed approach and concerted effort towards the protection of personal data, which will help build trust and confidence between businesses and consumers in TPP markets with some of the highest growth for Internet usage and B2C and B2B electronic commerce globally.
Businesses will also have the freedom and flexibility of storing and processing personal data across different TPP markets with respect to personal data that is collected. In particular, businesses will be able to rely on economies of scale of the digital environment to serve multiple TPP markets using computing and data (centre) storage facilities from fewer locations, without the need to build or invest in such infrastructure in every TPP market that the business seeks to serve.
A SAFE HARBOUR FOR APAC?
With the United States (“US”) and the European Union (“EU”) still reeling from the European Court of Justice (“ECJ”) decision to invalidate the Safe Harbour framework for cross-border data transfers across the Atlantic, the TPP gives data protection authorities in member countries the opportunity to chart its own set of principles and standards for the transfer and processing of personal data for APAC. Where the current sentiment in the EU, in reaction to the ECJ decision with respect to data transfers to the US, is seemingly one of restriction and data localisation, the TPP by contrast, is generally against such arrangements (barring financial
services).
In light of the overall drive for openness and collaboration under the TPP, including obligations on member countries under Article 14.15 to “ exchange information and share experiences on regulations, policies, enforcement and compliance regarding electronic commerce, including personal information protection and security in electronic communications”, and to “ encourage development by the private sector of methods of self-regulation that foster electronic commerce, including codes of conduct, model contracts, guidelines and enforcement mechanisms”, the possibility for an APAC Safe Harbour could very well be on the horizon.
IMPLEMENTATION
With the successful conclusion of negotiations, member countries must now begin the process of ratifying and implementing the TPP, which is expected to come into force within two years when domestic legislative procedures have completed. It will certainly be interesting to see how the TPP pans out for APAC.
rizwi.wun@rhtlawtaylorwessing.com
